envoy

package
v0.0.0-...-7b34d14 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 7, 2020 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CreateCommonTlsContext 

func CreateCommonTlsContext(ctx xds_context.Context, metadata *core_xds.DataplaneMetadata, validationSANMatcher *envoy_type_matcher.StringMatcher) (*envoy_auth.CommonTlsContext, error)

func CreateDownstreamTlsContext 

func CreateDownstreamTlsContext(ctx xds_context.Context, metadata *core_xds.DataplaneMetadata) (*envoy_auth.DownstreamTlsContext, error)

CreateDownstreamTlsContext creates DownstreamTlsContext for incoming connections It verifies that incoming connection has TLS certificate signed by Mesh CA with URI SAN of prefix spiffe://{mesh_name}/ It secures inbound listener with certificate of "identity_cert" that will be received from the SDS (it contains URI SANs of all inbounds). Access to SDS is secured by TLS certificate (set in config or autogenerated at CP start) and path to dataplane token

func CreateUpstreamTlsContext 

func CreateUpstreamTlsContext(ctx xds_context.Context, metadata *core_xds.DataplaneMetadata, upstreamService string, sni string) (*envoy_auth.UpstreamTlsContext, error)

CreateUpstreamTlsContext creates UpstreamTlsContext for outgoing connections It verifies that the upstream server has TLS certificate signed by Mesh CA with URI SAN of spiffe://{mesh_name}/{upstream_service} The downstream client exposes for the upstream server cert with multiple URI SANs, which means that if DP has inbound with services "web" and "web-api" and communicates with "backend" the upstream server ("backend") will see that DP with TLS certificate of URIs of "web" and "web-api". There is no way to correlate incoming request to "web" or "web-api" with outgoing request to "backend" to expose only one URI SAN.

Pass "*" for upstreamService to validate that upstream service is a service that is part of the mesh (but not specific one)

func EndpointMetadata 

func EndpointMetadata(tags Tags) *envoy_core.Metadata

func LbMetadata 

func LbMetadata(tags Tags) *envoy_core.Metadata

func MeshSpiffeIDPrefix 

func MeshSpiffeIDPrefix(mesh string) string

func MeshSpiffeIDPrefixMatcher 

func MeshSpiffeIDPrefixMatcher(mesh string) *envoy_type_matcher.StringMatcher

func MetadataFields 

func MetadataFields(tags Tags) map[string]*pstruct.Value

func ServiceSpiffeID 

func ServiceSpiffeID(mesh string, service string) string

func ServiceSpiffeIDMatcher 

func ServiceSpiffeIDMatcher(mesh string, service string) *envoy_type_matcher.StringMatcher

Types

type ClusterSubset 

type ClusterSubset struct {
	ClusterName string
	Weight      uint32
	Tags        Tags
}

type Clusters 

type Clusters map[string][]ClusterSubset

func (Clusters) Add 

func (c Clusters) Add(infos ...ClusterSubset)

func (Clusters) ClusterNames 

func (c Clusters) ClusterNames() []string

func (Clusters) Tags 

func (c Clusters) Tags(name string) []Tags

type Tags 

type Tags map[string]string

func DistinctTags 

func DistinctTags(tags []Tags) []Tags

func TagsFromString 

func TagsFromString(tagsString string) (Tags, error)

func (Tags) Keys 

func (t Tags) Keys() []string

func (Tags) String 

func (t Tags) String() string

func (Tags) WithTags 

func (t Tags) WithTags(keysAndValues ...string) Tags

func (Tags) WithoutTag 

func (t Tags) WithoutTag(tag string) Tags

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.